The Beauty of Immutability
Imagine one or more of your systems is unavailable because of some malicious attack, whether a nasty virus, ransomware, or sabotage from a disgruntled employee. No worries, these things happen — you’ll recover from backup. Except you discover that your backups have been compromised in the same manner (this has happened).
This is usually where the term air gap gets dropped. Someone will say, “you need a truly offline backup — tape! There’s no way ransomware can get into a tape backup!” While that’s true, how long does it take to recover from tape stored in a land somewhere far, far away? If a backup takes so long to restore that there’s major financial or business impact, does it actually exist? Realistically, there are ways to protect your data stored by backup systems even without this gap.
I recently wrote a blog post about immutable infrastructures, but compute infrastructures are not the only way that immutability matters in the data center. Immutable, by definition, means the state is set or inflexible once constructed. In other words, it cannot be changed. The goal is to build a more reliable automated compute infrastructure in order to enable stable continuous delivery.
Data has become a major currency, and we need to figure out how to address that. People are generating more data than ever before, with 40 zettabytes expected to be created by 2020. That’s only two years from now! Data is essential for companies, and it is going to spell an era of innovation as companies attempt to balance security concerns with figuring out how to manage massive amounts of data. I think the same goals apply to data management: ingest, manage, and store data immutably; any modifications are made using a new copy — leaving the original untarnished; and all of this should be done continuously using automation.
Data immutability protects against the most common causes of data loss and data manipulation, including:
- Malicious activity, such as viruses and ransomware
- Administrative mishaps or purposeful sabotage
- Application bugs
All applications and data ingested by Rubrik are stored in an immutable manner. Once ingested, no external or internal operation can modify the data. Data managed by Rubrik is never available in a Read/Write state to the client. This is true even during a restore or Live Mount operation. Since data cannot be overwritten, even infected data later ingested by Rubrik cannot infect other existing files or folders.
The latest ransomware programs like WannaCry and Petya work by encrypting data and then demanding payment for the decryption keys. Data managed by Rubrik is immutable and cannot be encrypted after the fact. Therefore, your data is immune to these types of malicious activity.
With immutability combined with data encryption at-rest and in-transit, as well as with granular role-based access control built into the product, Rubrik provides a holistic stance on security and data integrity.
Want to learn more? Read our blog on fighting viruses with incremental-forever backups and immutability. Or check out this video with Founding Engineer Adam Gee on building the Atlas File System from the ground up.